Red Hat Bugzilla – Bug 811307
CUPS does not print when firewalld is running
Last modified: 2013-01-08 05:14:57 EST
Description of problem:
If I try to print a document, it gets printed only when firewalld is not running.
Is there documentation how the needed ports can be enabled in the new firewall?
Can you attach an output from Printing troubleshooter when you try to print with firewalld running ?
Created attachment 915438 [details]
(This comment was longer than 65,535 characters and has been moved to an attachment by Red Hat Bugzilla).
Does that change anything when you edit /etc/firewalld/firewalld.conf,
change DefaultZone=public to DefaultZone=internal or to DefaultZone=trusted,
and run 'systemctl restart firewalld.service' ?
DefaultZone=trusted works, too
Thanks, what about 'DefaultZone=work' ?
DefaultZone=work also works
I think it would be a nice thing, if it was possible to use a printer even in the default setup of the firewall, or to configure it automatically, when a printer is added.
I changed my default zone to 'work', that works. How can I enable the port 25565 permanently?
So, I tried it myself by looking at the files in /usr/lib/firewalld and /etc/firewalld. First I created a new file /etc/firewalld/services/minecraft.xml that defines tcp port 25565. Second I copied internal.xml to /etc/firewalld/zones/cb.xml, added the service 'minecraft' there and changed the default zone to 'cb'. So far that seems to work. Is there a way to do something like this with less manual work or is that just the way to do it?
(In reply to comment #11)
> Is there a way to do something like this with less manual work or is that
> just the way to do it?
Brilliant! That's indeed the way.
There will finally be a documentation to this in the next firewalld release, but you don't need it anymore :)
We don't have a GUI (firewall-config) yet so this is really the only way to do it at the moment.
One last question, is there some kind of inheritance regarded the files in /etc/firewalld and /usr/lib/firewalld are is copying from /usr/lib/firewalld to /etc/firewalld always necessary?
No, there is no inheritance. The files in /usr/lib/firewalld are overloaded by the files in /etc/firewalld. Only immutable zones can not be overloaded.
You should copy the files over to /etc/firewalld that you want to modify.
Closing. The way how to permanently allow a service or add a port is described in man pages shipped with firewalld-0.2.5-1.fc17.
The gnome printer config tricks the user into installing firewalld, which has no configuration program yet. Attempting to start the old firewall configuration program tells you to start firewall-config, which does not yet exist in F17. Attempting to print will show the print job forever stuck in the print queue because firewalld does not open the necessary port. As a user, you are supposed to understand somehow that the problem is with the firewall, and fix it by reading firewalld's man page and knowing somehow which port/service you need opened.
User-friendliness at its absolutely worst.
I suggest you fix this problem at its root by removing gnome printer config until it works with the rest of your software stack.